As distributed processing networks rise in prominence in the information age, network security is becoming increasingly important to both governmental and nongovernmental entities. In the network security field, “intrusion” is a broad term encompassing many deleterious activities that generally target one or more of data, media, and equipment. Such activities include acquiring information that the would-be acquirer is not authorized to have (known as information theft), rendering a network system or application unusable (known as Denial of Service or DoS), and gaining unauthorized use of a network component as a stepping stone for further intrusions elsewhere. Most intrusions follow a pattern of information gathering, attempted access, and then destructive attacks. As used herein, “attack” refers generally to all types of intrusions (including “scans”, “floods”, and “attacks” as understood by one of skill in the art).
Attacks, particularly highly sophisticated attacks, are often difficult to detect. In most attacks, the attacker uses “spoofed” packets that are not easily traceable to their true origin. To hide their identities, attackers make unauthorized use of machines or networks of other parties.
A number of systems have been developed to detect attacks.
The most commonly employed system is a firewall, which allows the system or network manager to restrict access to components on the network. At the simplest level, a firewall is a packet filter facility that can restrict the flow of packets to and from a network via a set of rules implemented in an interconnection device. Examples of firewalls include frame-filtering firewalls, packet-filter firewalls, circuit gateway firewalls, and stateful firewalls. Firewalls are not too effective in fine-grained prevention but can complement other types of network security systems. They cannot prevent an attack once the firewall has “approved” entry of a host into the internal network or an attack initiated from within the internal network.
Network-based systems include signature-based and rate-based systems. Signature-based systems rely on an electronic signature, such as a certificate and/or key, to provide a trusted relationship with the source. Such systems need to be configured for signatures of known vulnerabilities and state-sensitive per-session. These systems are unable to prevent only known attacks; that is, the attack signature must be known and deployed to recognize the attack attempt. To make matters worse, signature-based systems find it nearly impossible to detect policy-based violations. The necessary required application-awareness forces such systems to be tuned to limited applications, which creates a scaling issue. Rate-based systems normally create a table of connections originating from a single source to the different destinations in the enterprise network and apply heuristics to the height and width of the table to identify a potential attack profile. Rate-based systems commonly deal only with denial-of-service-type attacks and may often miss DoS attacks, which are more detectable at the higher application layers of the OSI model. Rate-based systems also may need to be deployed in line to receive and process all network traffic. This in line configuration can lead to a single-point of failure scenario, which is a concern for high availability networks.
Anomaly or behavior-based Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) detect network protocol violations and behavior that violates normal usage patterns. Examples of IDS and IPS systems include U.S. Patent Application Publications 3002/0145225 and 2004/0064731, each of which is incorporated herein by this reference.
The various systems noted above are generally application unaware and therefore frequently unable to detect attacks directed at applications that do not violate network protocols or that fall within normal usage patterns. They are generally limited to layers 2 (data link layer), 3 (network layer), and 4 (transport layer) of the OSI model and fail to take into account information at higher layers in the model. As a result, attacks targeting these higher layers are often undetectable.
Some of the above systems are enabled to perform deep-packet stateful inspections to decipher application-level DoS attempts and resource exhaustions. The inspections, however, cannot inspect encrypted data to perform effective higher-layer traffic and state analysis. Such inspections can not only delay traffic while the traffic is inspected but also make the system unable to scale to support large deployments while continuing to meet the real-time requirements of IP communications.
While it is true that cryptographically strong identity and access management makes it harder for attackers to exploit vulnerabilities from outside the knowledgeable domain (especially at the application layer of the OSI model), some communication protocols, particularly the Session Initiation Protocol or SIP, that enable Voice over Internet Protocol or VoIP and/or instant messaging communications are open forms of communications authorized to receive from the rest of the world. Benign default policies and access control mechanisms can be (and are) enforced, such as whitelists and blacklists, to narrow the list of domains and peers. However, such policies and mechanisms have their limitations and cannot be over done—lest the value of the pervasive communication medium be diluted—especially from the standpoint of mobility. For example, if one needs to call the information technology officer of an enterprise to enable a hotspot domain in their list before performing remote access it is not seamless or ubiquitous but problematic for users.
There has been very little effort except to expand the notion of using in line and access-level OPSs, such as signature, rate-based, protocol-anomaly, and behavior-anomaly systems to combat attacks using open forms of communication.